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DETAILED ACTION 

1 . Claims 1 -21 are pending in this office action. 

2. Applicant's arguments filed June 15, 2004, have been fully considered but they 
are not persuasive. 

Rejections 

3. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

Claim Rejections - 35 USC § 102 

4. Claims 16 and 17 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Spies et al. (U.S. Patent No. 5,689,565). 

Regarding claim 16 , Spies et al. teaches a computer-readable medium having 
stored thereon a data structure, comprising: 

• A first data field containing data representing a data length identifier and a tag 
type (fig. 9, ref. num 142); and 

• A second data field containing configuration data of said tag type and having a 
length described by said data length identifier (fig. 9, ref. num 144). 
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Regarding claim 17 . Spies et al. teaches wherein said data structure further 
comprises a plurality of additional data structures comprising one of said first data field 
and one of said second data field for a plurality of tags (col. 15, lines 63-67). 

Claim Rejections - 35 USC § 103 

5. Claims 1-7 and 12-15 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Shrader et al. (U.S. Patent No. 6,374,359) in view of Quimbv (U.S. Patent No. 
5,367,573), and further in view of Hardy etal. OJ.S. Patent No. 5,623,546). 

Regarding claims 1.-12. and 14 . Shrader et al. teaches a method/computer- 
readable medium/computer-controlled apparatus for storing session data on a client 
computer, comprising: 

• Encrypting said encoded configuration data using an encryption key to create 
encrypted encoded configuration data (fig. 4, ref. num 82); 

• Concatenating a secret, a length of the secret, and a length of the length of the 
secret with said encrypted encoded configuration data to form a session cookie 
(col. 7, lines 16-21, see response to arguments below); and 

• Transmitting said session cookie to said client computer (fig. 3, ref. num 62). 



Shrader et al. does not teach encoding said session data in a tag-length-value 
format to create encoded configuration" data, or that the encryption key is modified. 
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Quimbv teaches encoding said session data in a tag-length-value format to 
create encoded configuration data (col. 2, lines 56-67). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine encoding session data in a tag-length-value format, as 
taught by Quimbv , with the method of Shrader et al. It would have been obvious to 
combine encoding session data in a tag-length-value format, as taught by Quimbv , with 
the method of Shrader et al. because the TLV format allows an arbitrary number of 
fields of arbitrary length to be encoded (see col. 3, lines 59-62 of Quimby). 

Shrader et al. as modified by Quimbv still does not teach that the encryption key 
is a modified encryption key. 

Hardy et al. teaches the encryption key is a modified encryption key (fig. 2). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine using a modified encryption key, as taught by Hardy et 
aL, with the method of Shrader et al. as modified by Quimbv. It would have been 
obvious to combine using a modified encryption key, as taught by Hardy et aL with the 
method of Shrader et aL as modified by Quimbv because the modified encryption key 
allows the transfer of data between devices without the use of secure lines (see col. 2, 
lines 38-54 of Hardy et al.). 
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Regarding claims 2, 13, and 15 . the combination of Shrader et al. as modified by 
Quimbv and Hardy et al. teaches wherein said modified encryption key comprises a 
standard encryption key with said secret inserted at a predefined location (see fig. 2 of 
Hardy etal.). 

Regarding claim 3 . the combination of Shrader et al. as modified by Quimbv and 
Hardy et al. teaches wherein said modified encryption key further comprises a time 
stamp indicating a time at which said modified encryption key is created (see col. 3, 
lines 34-53 of Quimby). 

Regarding claim 4 , the combination of Shrader et al. as modified by Quimbv and 
Hardy et al. teaches further comprising: 

• Requesting said session cookie from said client computer (see fig. 5, ref. num 90 
of Shrader etal.); 

• Receiving said session cookie from said client computer (see fig. 5, ref. num 90 
of Shrader etal.); 

• Extracting said secret from said session cookie (see fig. 5, ref. num 98 of 
Shrader et al.); 

• Creating said modified encryption key by inserting said secret extracted from said 
session cookie into said standard encryption key at said predefined location (see 
fig. 3 and col. 6, lines 18-36 of Hardy et al.); and 
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• Decrypting said session data from said cookie using said modified encryption key 
(see fig. 5, ref. num 94 of Shrader et al.). 

Regarding claim 5 , the combination of Shrader et al. as modified by Quimbv and 
Hardy et al. teaches further comprising: 

• Decoding a tag from said session data (see fig. 5, ref. num 92 of Shrader et al.); 

• Determining whether said tag comprises a valid tag (see fig. 5, ref. num 96 and 
98 of Shrader etal); and 

• In response to determining that said tag comprises a valid tag, configuring said 
server using data contained in said tag (see fig. 5, ref. num 100 of Shrader et al.). 

Regarding claim 6 , the combination of Shrader et al. as modified by Quimbv and 
Hardy et al. teaches further comprising: 

• In response to determining that said tag does not comprise a valid tag, 
determining whether additional tags remain to be decoded from said encoded 
configuration data (see fig. 5, ERROR of Shrader et al.); and 

• In response to determining that additional tags remain to be decoded, decoding a 
next tag and determining whether said next tag comprises a valid tag (see fig. 5, 
ref. num 92, 96, and 98 of Shrader et al.). 

Because the Shrader et al. reference was modified by the Quimby reference to 
include TLV, the decoding step of Shrader et al. will now decode multiple tags, instead 
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of just the one cookie as displayed in the Shrader et al. reference. The modification 
demands the steps of processing every set of tag-length-value parameter that belongs 
to the entire session data. This means instead of producing ERROR, as shown in figure 
5 of Shrader et al., the modification now checks the next set of TLV values. 

Regarding claim 7 , the combination of Shrader et al. as modified by Quimbv and 
Hardy et al. teaches further comprising: in response to determining that said next tag 
comprises a valid tag, configuring said server using data contained in said next tag (see 
fig. 5, ref. num 100 of Shrader et al.). 

Claims 8-11 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shrader et al. (U.S. PN '359) as modified by Quimbv (U.S. PN '573) and Hardv et al. 
(U.S. PN '546), and further in view of Becker et al. (U.S. Patent No. 6,557,038). 

Regarding claim 8 , the combination of Shrader et al. as modified by Quimbv and 
Hardv et al. teaches all the limitations of claims 1-7 above. However, the combination 
of Shrader et al. as modified by Quimbv and Hardv et al. does not teach further 
comprising: in response to determining that additional tags do not remain to be 
decoded, periodically authenticating said session cookie. 
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Becker et al. teaches further comprising: in response to determining that 
additional tags do not remain to be decoded, periodically authenticating said session 
cookie (fig. 12). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine periodically authenticating said session cookie if 
additional tags do not remain, as taught by Becker et al. . with the method of Shrader et 
a! as modified by Quimbv and Hardy et al. It would have been obvious to combine 
periodically authenticating said session cookie if additional tags do not remain, as 
taught by Becker et al. . with the method of Shrader et al. as modified by Quimbv and 
Hardv et al. because the periodic authentication would enable the user to remain 
connected to the server. This would allow the user to not have to login repeatedly and 
also keep other third parties from accessing the data that was transferred between the 
user and the server. 

Regarding claim 9 . the combination of Shrader et al. as modified by Quimbv and 
Hardv et al. . and further in view of Becker et al. teaches wherein periodically 
authenticating said session cookie comprises: 

• Starting a session timer (see fig. 1 2, ref. num 1 202 of Becker et al.); 

• Determining whether said session timer has elapsed (see fig. 12, ref. num 1204 
of Becker etal.);and 
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• In response to determining that said session timer has elapsed (see fig. 12, ref. 
num 1206 of Becker et al.). 

o Requesting said session cookie from said client computer (see fig. 5, ref. 

num 90 of Shrader et al.), 
o Decrypting and decoding a tag contained in said session cookie (see fig. 

5, ref. num 92 and 94 of Shrader et al.), and 
o Determining whether said tag comprises a valid tag (see fig. 5, ref. num 96 

and 98 of Shrader et al.). 

Regarding claim 10 . the combination of Shrader etal. as modified by Quimbv 
and Hardv etal. . and further in view of Becker et al. teaches further comprising: 

• In response to determining that said tag comprises a valid tag, 

o Generating a new session cookie (see fig. 4, ref. num 80 of Shrader et 
al.), 

o Transmitting said new session cookie to said client computer (see fig. 3, 

ref. num 62 of Shrader et al.), and 
o Resetting said session timer (see fig. 1 1 , ref. num 1 1 04 of Becker et al.). 



Regarding claim 11 . the combination of Shrader et al. as modified by Quimbv 
and Hardv et al. . and further in view of Becker et al. teaches further comprising: in 
response to determining that said tag does not comprise a valid tag, ending a 
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communications session between said server computer and said client computer (see 
fig. 10, ref. num 1004 of Becker et al.). 

Claims 18-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Spies et al. (USPN '565). 

Regarding claim 18 , Spies et al. teaches wherein said data length identifier 
comprises the first two bits of said first data field (col. 16, lines 6-7). 

It would have been obvious to change the 'fixed-size' field from 32-bit to 2-bit, or 
any other size, as long as the field data remained fixed. 

Regarding claim 19 , Spies et al. teaches wherein said data length identifier 
comprises data indicating that the length of said second data field is one byte (col. 16, 
lines 10-14). 

Regarding claim 20 , Spies et al. teaches wherein said data length identifier 
comprises data indicating that the length of said second data field is four bytes (col. 16, 
lines 10-14). 

Regarding claim 21 , Spies et al. teaches wherein said data length identifier 
comprises data indicating that said tag type comprises an extended tag type (col. 16, 
lines 10-14). 
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It would have been obvious to indicate the length of the second data field is one 
byte or four bytes. Spies et al. teaches that the field is variable (meaning it can be 
different, i.e., one byte or four bytes) and that it is an exact byte count of the data 
contained in the value field. 

Response to Arguments 

6. Applicant argues: 

a. Claims 16 and 17 are allowed because the Spies et al. reference uses the 
word "consists" (meaning only those fields - no other fields allowed) and the tag 
142, length 144, and value 146 are not individually capable of containing data 
that identifies two distinct data types (page 5, last paragraph through page 6, 
third paragraph). 

b. Claims 1-15 fail to teach concatenating a secret, the length of the secret, 
and a length of the length of the secret with encrypted coded configuration data 
to form a session cookie (page 7, first paragraph through page 8, first 
paragraph). 

c. Dependent claims are allowable based on their dependency on 
independent claims (page 7, end of first paragraph). 

Regarding argument (a), examiner disagrees with applicant. The claim never 
states that the data structure is required to carry two distinct data types. Also, the 
definition of TLV (tag-length-value) states the tag defines the type of data contained, the 
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length consists of the total length of the tag, length, and value, and the value contains 
the value to be transmitted. One TLV data structure can contain one type of data, while 
another TLV data structure can contain a different type of data. 

Regarding argument (b), examiner-disagrees with applicant. Shrader et al. 
teaches, in col. 7, lines 16-21, the process of concatenating verification values together 
in order to construct a cookie. The cookie values can have different lengths because 
the TLV format used may contain more values in one instance and less in another 
instance. In order to solve that problem, a length field would be required to tell the 
cookie parser the length of the fields within the cookie. The length field would then also 
be dynamic in size, so a length of the length field, which is static, could describe the 
length field, which then describes the cookie data. 

Regarding argument (c), examiner disagrees with applicant. Based on the 
arguments set forth by the examiner for arguments (a) and (b), the dependent claims 
stand as rejected. 

Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
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shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Brandon Hoffman whose telephone number is 571-272- 
3863. The examiner can normally be reached on M-F 8:30 - 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-21 7-91 97 (toll-free). 
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